US20200169560A1 - Systems And Methods To Secure Publicly-Hosted Cloud Applications To Run Only Within The Context Of A Trusted Client Application - Google Patents
Systems And Methods To Secure Publicly-Hosted Cloud Applications To Run Only Within The Context Of A Trusted Client Application Download PDFInfo
- Publication number
- US20200169560A1 US20200169560A1 US16/201,610 US201816201610A US2020169560A1 US 20200169560 A1 US20200169560 A1 US 20200169560A1 US 201816201610 A US201816201610 A US 201816201610A US 2020169560 A1 US2020169560 A1 US 2020169560A1
- Authority
- US
- United States
- Prior art keywords
- handling system
- information handling
- client application
- application
- web
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/958—Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/103—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measure for protecting copy right
Definitions
- This invention relates generally to information handling systems and, more particularly, to controlling execution of publicly-hosted cloud applications within a web-view of client applications running on client information handling systems.
- An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information.
- information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated.
- the variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications.
- information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
- the Microsoft Universal Windows Platform provides a common application platform across different types of client information handling systems (e.g., such as desktop PCs, gaming systems, mixed-reality headsets, etc.) that run the Microsoft Windows 10 operating system (OS).
- the UWP includes core application programming interfaces (APIs) that are the same on all devices that run the Windows 10 OS, and UWP applications that only require the core UWP APIs will run on any Windows 10 device.
- APIs application programming interfaces
- UWP applications are made available to end users from the Microsoft Store.
- UWP applications may execute on a client system to expose local custom application programming interfaces (APIs) and Windows APIs to be accessed by web views using UWP application content URL rules (ACURs) so as to limit the access of local APIs to a pre-defined and hard-coded URL.
- APIs application programming interfaces
- ACURs UWP application content URL rules
- a publicly-hosted cloud website application i.e., web application
- a trusted client application e.g., such as a trusted Universal Windows Platform (UWP) application
- client information handling system such as a desktop or tower personal computer (PC), laptop or notebook computer, gaming systems, mixed-reality headset, etc.
- client information handling system such as a desktop or tower personal computer (PC), laptop or notebook computer, gaming systems, mixed-reality headset, etc.
- client information handling system such as a desktop or tower personal computer (PC), laptop or notebook computer, gaming systems, mixed-reality headset, etc.
- the context in which a web server-hosted web application is to be executed and rendered as a front-end web page within a web view of a client application may be determined and used to authorize and allow the web application to execute and render within the web-view.
- Such an authentication decision may be made, for example, using front-end web application code (e.g., JavaScript) that is rendered in the client web-view together with client application code (e.g., Microsoft Windows operating system APIs) to authenticate the client application context in which the web-page is rendered.
- client application code e.g., Microsoft Windows operating system APIs
- the web application may validate that it is being rendered in the context of a trusted and/or well-known client application rendering engine/environment, e.g., such as an authorized UWP application.
- client application rendering engine/environment e.g., such as an authorized UWP application.
- authorization to allow a publicly-hosted web application to be rendered within an application web-view on a client information handling system may be advantageously limited to only specific authorized client applications, e.g., such as only those UWP or and/or other client applications that are listed by hard-coded identifier (ID) or included within a whitelist (or not included in a blacklist) provided from or created from information from the Microsoft store or from other approved source's of the client application.
- ID hard-coded identifier
- whitelist or not included in a blacklist
- client applications on a client information handling system do not require a human end user to login to the client application itself to provide full functionality.
- many of these client application/s render manufacturer-hosted web applications within web-views on the client information handling system to provide enhanced functionality such as device registration and warranty transfer, which is directly tied to the client information handling system itself and not tied to the human end user.
- access to the web application/s hosted by the manufacturer's server may only be allowed for trusted client-executed client applications executing on particular types of information handling systems, while access to the manufacturer-hosted web application/s is denied to standard web browsers and untrusted client applications executing on any client information handling system.
- a method including: launching and executing a client application on a first information handling system, the client application communicating a first request across a network to a second information handling system for a web page of a web application from the second information handling system; transferring a first portion of the web application across the network from the second information handling system to the first information handling system in response to the first client application request, the transferred first portion of the web application including authorization information; and executing the transferred first portion of the web application within the client application on the first information handling system without first fully rendering the requested web page to: obtain identity information of the client application from client application logic executing on the first information handling system, the identity information of the client application being stored on the first information handling system, compare the identity information of the client application to the authorization information to determine whether or not the client application is authorized to fully render the web page, and fully render the requested web page within the client application on a display device only if the client application is determined from the comparison to be authorized to fully render the web page.
- a system including: a first information handling system and a second information handling system; where the first information handling system includes a programmable integrated circuit executing to transfer a first portion of a web application across the network to a second information handling system in response to a first request for a web page received across the network from a client application executing on the second information handling system, the transferred first portion of the web application including authorization information; and where the second information handling system includes a display device and a programmable integrated circuit coupled to the display device, the programmable integrated circuit of the second information handling system executing the first portion of the web application within the client application on the second information handling system and without first fully rendering the requested web page to: obtain identity information of the client application from client application logic executing on the first information handling system, the identity information of the client application being stored on the first information handling system, compare the identity information of the client application to the authorization information to determine whether or not the client application is authorized to fully render the web page, and fully render the requested web page within the client application on the display device
- FIG. 1 illustrates a network architecture according to one exemplary embodiment of the disclosed systems and methods.
- FIG. 2 illustrates methodology according to one exemplary embodiment of the disclosed systems and methods.
- FIG. 3 illustrates process flow according to one exemplary embodiment of the disclosed systems and methods.
- FIG. 4 illustrates process flow according to one exemplary embodiment of the disclosed systems and methods.
- FIG. 1 illustrates one exemplary embodiment of a network architecture 100 that includes multiple information handling systems 110 , 120 , 130 , 140 and 150 that are in communication (e.g., via TCP/IP or Internet protocol) with each other across a public network 190 , such as the Internet.
- system 110 is a web server that is configured to serve at least one web application (web app) 114 across network 190 to systems 140 and 150 that are each configured as a non-mobile desktop or tower computer that execute client applications 142 a and 142 b (e.g., UWP applications), respectively.
- web app web application
- the disclosed systems and methods may be implemented to secure publicly-hosted web applications to run in trusted client application contexts that are implemented on mobile systems, e.g., such as notebook or laptop computers, tablet computers, smart phones, etc.
- mobile systems e.g., such as notebook or laptop computers, tablet computers, smart phones, etc.
- any other number of one or more client systems may be similarly hosted by one or more web servers across a network 190 .
- each of systems 110 , 120 , 130 , 140 and 150 includes at least one host processing device 102 (e.g., AMD or Intel-based CPU such as Itanium or any other type of suitable host processing device), one or more buses or communication media 103 (e.g., PCIe bus, USB, SMBus, SATA, other appropriate data buses such as memory bus, etc.), non-volatile storage 108 (e.g., hard drive/s, solid state drive/s “SSDs” and or other non-volatile memory), and system volatile memory (e.g., DRAM) 104 .
- host processing device 102 e.g., AMD or Intel-based CPU such as Itanium or any other type of suitable host processing device
- buses or communication media 103 e.g., PCIe bus, USB, SMBus, SATA, other appropriate data buses such as memory bus, etc.
- non-volatile storage 108 e.g., hard drive/s, solid state drive/s “SSDs” and or other
- the host processing device/s 102 of client systems 140 and 150 each execute a host operating system (OS) 105 (e.g., Microsoft Windows-based OS, Linux-based OS, Android OS, iOS, etc.).
- OS operating system
- Bus/es 103 provides a mechanism for the various components of system 204 to communicate and couple with one another.
- Each of systems 110 , 120 , 130 , 140 and 150 may be provided as shown with a network interface card (NIC) 106 that is communicatively coupled to network 190 to allow various components of each systems 110 , 120 , 130 , 140 and 150 to communicate through NIC 106 with components of other information handling systems across network 190 .
- NIC network interface card
- client systems 140 and 150 may include video display device (e.g., LCD display, LED display, etc.) and user interface (UI) component/s 109 that may be optionally integrated into one component (e.g., LCD or LED display touchscreen device) for displaying information to human users and for receiving user input from human users and/or may include separate video display and input/output (I/O) components (e.g., mouse, keyboard, etc.) for performing the same functions.
- video display device e.g., LCD display, LED display, etc.
- UI user interface
- I/O input/output
- Display/UI component/s 109 may be coupled to bus 103 and/or directly to host processing device 102 as shown, depending on the particular configuration of the given system (e.g., coupled directly to integrated graphics of a host processing device 102 and/or separately coupled via bus 103 to provide user input signals to host processing device 102 through other components and/or to receive video information from a graphics processor unit “GPU”).
- GPU graphics processor unit
- each of client systems 140 and 150 may be configured to obtain one or more client applications 142 across network 190 from storage 108 of client application source 130 (e.g., such as an application store), and to save them to storage 108 for future access.
- a client application 142 may then be retrieved from storage 108 and selectively launched and executed by host processing device 102 of each of systems 140 and 150 to display as shown on display device of component/s 109 of the respective system.
- Such an executing client application 142 may also implement a web view browser 144 within the client application 142 to attempt to display a requested web application 114 that has been served by web server 110 across network 190 .
- web server 110 may execute back end code of web application 114 on its host processing device 102 , and to maintain authorization information 112 .
- Authorization information 112 may be, for example, a dynamic and updateable whitelist or a static (non-updateable) hard coded identifier of client application/s 142 that are authorized to render the front end code of web application 114 as a web-page within a web-view of the client application, or may be a blacklist or hard coded identifier of client application/s 142 that are not authorized to render the front end code of web application 114 as a web-page within a web-view of the client application.
- particular client applications 142 may be identified as authorized by the authorization information 112 based on characteristics of signature authority information 134 (e.g., in the form of a Microsoft Store Signature) that is maintained by client application source 130 for each client application 142 .
- signature authority information 134 e.g., in the form of a Microsoft Store Signature
- client system 140 is shown executing an authorized client application 142 a that is allowed based on its identification in authorization information 112 as being authorized to render web page/s from web application 114 within a web-view of the authorized client application 142 a .
- client system 150 is shown executing an unauthorized client application 142 b that is not identified as being authorized by authorization information 112 and is therefore not allowed to render web application 114 as a web-page within a web-view of the unauthorized client application 142 b .
- type/s of authorization information 112 may be employed that is suitable for restricting the type and/or identity of client applications that are allowed to render web application as a web view, e.g., such as whitelist of the identities of authorized publisher/s of client application/s 142 , hard coded identification of identities of authorized publisher/s of client application/s 142 , blacklist of identities of non-authorized publisher/s of client application/s 142 , etc.
- FIG. 1 is exemplary only, and that the disclosed systems and methods may be implemented with other network configurations and configurations of information handling systems that each may include fewer, additional and/or alternative hardware and/or software/firmware components as well as any type/s of processing devices suitable implementing the disclosed systems and methods such as central processing units (CPUs), embedded controllers, keyboard controllers, microcontrollers, application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), etc.
- CPUs central processing units
- embedded controllers keyboard controllers
- microcontrollers microcontrollers
- ASICs application specific integrated circuits
- FPGAs field programmable gate arrays
- a web server 110 may also components such as baseboard management controller (BMC) and/or remote access controller (RAC) having one or more out-of-band processing devices and non-volatile memory (e.g., embedded and partitioned flash memory, Electrically Erasable Programmable Read Only Memory—EEPROM, other types of non-volatile random access memory “NVRAM”, etc.) that stores remote access controller component firmware 207 .
- BMC baseboard management controller
- RAC remote access controller
- non-volatile memory e.g., embedded and partitioned flash memory, Electrically Erasable Programmable Read Only Memory—EEPROM, other types of non-volatile random access memory “NVRAM”, etc.
- iDRAC integrated Dell Remote Access Controller
- FIG. 2 illustrates methodology 200 that may be implemented according to one exemplary embodiment to secure a publicly-hosted web application 114 so that it will render only within a trusted rendering client application 142 a that is executed by a particular client information handling system 140 .
- FIG. 2 is described herein in relation to the network architecture embodiment 100 of FIG. 1 , it being understood that methodology 200 may be employed with other network architecture embodiments, e.g., having different numbers and/or types of information handling systems, different types and/or number of client applications, different numbers and/or types of network applications, etc.
- methodology 200 begins in step 202 , where a client application 142 a or 142 b that includes web-view capability for rendering a web application web pages is developed (i.e., written and coded) by an application developer.
- Client application 142 a or 142 b may be, for example, a Microsoft Universal Windows Platform (UWP) application programmed to execute within a Microsoft OS environment, an Android web application programmed to execute within an Android OS environment, or other type of web-view-enabled application programmed to operate in Linux OS or iOS OS, etc.
- UWP Microsoft Universal Windows Platform
- the application package manifest of client application 142 a or 142 b is set up by an application developer (e.g., on client application developer system 120 ) to allow exposure of custom and operating system (OS) APIs executing on a client system (e.g., such as client systems 140 and 150 ) to a designated web application 114 that is available to client systems across network 190 from a website domain hosted by web server 110 .
- a client system e.g., such as client systems 140 and 150
- Such an application package manifest may be a Windows 10 UWP application component that contains information needed to deploy, display, or update a client application 142 (such as package identity, package dependencies, required capabilities, visual elements, extensibility points, etc.), and is digitally signed as part of signing the application package.
- the application package manifest file appears in the directory for the installed application package.
- Website domain of web server 110 may be, for example, a website domain for a manufacturer of client systems 140 and 150 , in which case web application 114 may be programmed to implement registration of an individual client system 140 and 150 with the system manufacturer, as well as to enable system warranty transfer to a human user (e.g., purchaser) of the respective client systems 140 and 150 .
- Each client application 142 a and 142 b may in one embodiment be set up to allow exposure of custom and OS APIs to web application 114 to the JavaScript running inside the webview, by, for example, by declaring a capability that is defined in the Windows application manifest file which enables access to any interfaces/API that is within a Windows Runtime (WinRT) library that is referenced in the client application 142 .
- WinRT Windows Runtime
- client applications 142 a and 142 b may be set up in such a way to allow exposure of Windows Runtime (WinRT) APIs and custom Windows APIs to code of web application 114 when launched and executing on host processing device 102 of a client system 140 .
- WinRT is a platform agnostic application architecture used within Windows 10 (and starting with Windows 8).
- Custom Windows APIs may accomplish any task the Webview JavaScript wants, and may be an interface to call into the client code from the Webview JavaScript, e.g., to get the current client application version. It may also be any interface that is written to return a value or perform some action, etc.
- client application 142 a or 142 b is published and deployed from client application developer system 120 across network 190 to client application source 130 (e.g., such as Microsoft Store or other repository of available client applications), where the client application is stored on storage 142 a or 142 b together with signature authority information 134 that cryptographically signs and verifies the identity of the publisher of the client application 142 a , but in this case does not so verify the identity of the publisher of the client application 142 b .
- Client application 142 a or 142 b is now available to be downloaded to client systems across network 190 .
- client application 142 a or 142 b is downloaded in step 208 together with its publisher identification information to client system 140 or 150 as the case may be.
- identity of the publisher of a given client application 142 may be the same as the developer of that given client application, and/or may be any other entity (e.g., human, company, corporation, etc.) that is responsible for distributing the given client application 142 to client application source 130 .
- authorization information 112 may alternatively be any other information that corresponds to a given client application 142 , e.g., such as identity of developer/s of a client application 142 (where client application developer is different from client application publisher), identity of particular authorized client application/s 142 , etc.
- Step 208 may occur, for example, in response to a request submitted from client system 140 or 150 to client application source 130 by a human user operating client system 140 / 150 , e.g., such as purchase or free download of client application 142 a or 142 b from the client application source 130 .
- a request may be automatically submitted system software or firmware that executes on host processing device 102 of client system 140 / 150 , e.g., by system manufacturer-loaded software or firmware upon initial power on and system setup of client information handling system 140 / 150 by a human end user.
- client application 142 a or 142 b is ready to be launched and executed on host processing device 102 of client system 140 or 150 in step 210 , e.g., when launched by a human user 302 as illustrated further herein in regard to FIGS. 3 and 4 .
- client application 142 a or 142 b requests and attempts to load web application 114 across network 190 from web server 110 in step 212 as shown.
- steps 222 through 226 of methodology 200 are performed prior to attempted loading of web application 114 in step 212 .
- the publisher of client application 142 a or 142 b is registered on web server 110 before performing a verification step 224 that determines whether the particular client application 142 a or 142 b is authorized by authorization information 112 (e.g., is added to a white list, is identified by hard coding ID, is not added to a blacklist, etc.) maintained on web server 110 .
- authorization information 112 e.g., is added to a white list, is identified by hard coding ID, is not added to a blacklist, etc.
- steps 222 through 226 may be performed, for example, by web server administrative personnel and/or by automated server firmware/software executing on host processing device 102 of web server 110 and/or other systems, etc.
- the publisher of a client application 142 a or 142 b may in one embodiment be manually registered on web server 110 by steps in which an owner or operator of the client application developer system 120 that is the source of the client application 142 a may manually request that the publisher of the client application 142 a be added to an authorized client application whitelist or other authorization information 112 maintained on the web server system 110 .
- the publisher of the given client application 142 a or 142 b may then be verified (or not verified) across network 190 in step 224 by querying the custom APIs for the particular client application's publisher to confirm that the publisher is cryptographically signed by signature authority information 134 on the client application source 130 .
- methodology 200 proceeds to 226 where the verified publisher of the now-authorized client application 142 a is indicated to be authorized (e.g., added to a whitelist, or removed from a blacklist) by authorization information 112 maintained in storage 108 of web server system 110 .
- authorization information 112 may be a whitelist on web server system 110 that includes one or more verified publishers and may be added to or expanded over time to include new publishers as they are verified in separate instances of step 224 .
- identification information e.g., name or identification code corresponding to the verified publisher of the given authorized client application 142 a
- the software code e.g., a combination of hypertext markup language “HTML”, cascading style sheets “CSS”, and JavaScript code
- HTML hypertext markup language
- CSS cascading style sheets
- JavaScript code e.g., a combination of hypertext markup language “HTML”, cascading style sheets “CSS”, and JavaScript code
- a current client application 142 e.g., authorized client application 142 a or unauthorized client application 142 b
- the host processing device 102 of the web server 110 responds in step 228 by transferring web application code (e.g., HTML, CSS and JavaScript code) of the particular requested web application 114 (together with the previously-described authorization information 112 of step 227 ) to the requesting client system 140 across network 190 .
- web application code e.g., HTML, CSS and JavaScript code
- this code of web application 114 may be programmed to execute on client system 140 or 150 together with the launched client application 142 to perform step 214 of FIG. 2 , i.e., to determine whether a particular launched and executed client application 142 a or 142 b is authorized by authorization information 112 to render the requested web application 114 in web view 144 on client system 140 or 150 . If so authorized, the client application 142 renders the requested web application 114 in web view 144 during step 216 . If not so authorized, the client application 142 does not render the requested web application 114 in web view 144 . Thus, in the case of the exemplary embodiment of FIG. 1 , authorized client application 142 a would be allowed to render the requested web application in web view 144 on client system 140 , while unauthorized client application 142 b would not be allowed to render the requested web application in web view 144 on client system 150 .
- FIG. 3 illustrates one exemplary embodiment of a detailed process flow for launching and authenticating a client application 142 for rendering a requested web application 114 in web view 144 during web session creation between web server 110 and a client information handling system 140 or 150 .
- web application 114 may be a warranty transfer and registration application for a desktop or tower computer system.
- authentication is limited to only those desktop or tower client systems that execute a client application 142 that uses a Microsoft Chakra JavaScript engine on a Microsoft Edge Browser, i.e., to limit rendering of the web application 114 on desktop computer systems implementing a Microsoft Chakra Edge Browser and not on any mobile computing device or mobile information handling system.
- the disclosed systems and methods may be implemented for authenticating client applications for rendering other types of web applications (e.g., non-warranty or registration web applications) on other types of systems (e.g., including mobile information handling systems such as tablet computers, notebook computers, smart phones, convertible computers, etc.) running other types of browser software.
- web applications e.g., non-warranty or registration web applications
- mobile information handling systems such as tablet computers, notebook computers, smart phones, convertible computers, etc.
- the launched and executing client application 142 responds by initiating a request (e.g., via URL over a secure HTTPS connection) for a web page of web application 114 from web server 110 across network 190 .
- the web application 114 may be a single page application (SPA) programmed to load a single HTML web page, and to execute JavaScript and CSS on the client system to dynamically update the webpage in response to further input from user 302 with or without reloading the web page or transferring additional HTML code from web server 110 .
- SPA single page application
- the web server 110 may respond to the web page request by sending HTML, CSS and JavaScript of the web application 114 (together with authorization information 112 ) corresponding to the requested web page to the executing client application 142 across network 190 .
- the requested web application 114 then loads and uses its JavaScript code to prerender the requested web page 310 as a static web page in web view 144 of the executing client application 142 on display device of component/s 109 of the client system.
- the JavaScript of the prerendered static web page 310 is not enabled to update or otherwise alter the prerendered web page 310 with additional data from web server 110 in response to input from user 302 , e.g., that is provided by the user via I/O devices of the client system such as mouse, keyboard, touch pad, touch screen, etc.
- authorization methodology 311 first determines in step 312 whether the web view engine of the current client application 114 is not a UWP application running a Microsoft Chakra Edge browser. In step 314 , authorization methodology 311 determines if the current client system 140 or 150 is a mobile device (e.g., notebook computer, smart phone, tablet computer, convertible computer, etc.).
- a mobile device e.g., notebook computer, smart phone, tablet computer, convertible computer, etc.
- steps of methodology 311 terminate without ever rendering any content of the requested web page 310 as a dynamic web page within web view 144 , e.g., successfully preventing malicious and unauthorized actors to view/interact with the web application 114 outside the context of an authorized client application 142 a .
- steps 312 and 314 are optional to filter out non-UWP client applications and mobile devices.
- methodology 311 may proceed directly to step 318 described below (i.e., without intervening steps 312 and/or 314 ).
- authorization methodology 311 proceeds to step 318 , where the web application JavaScript requests identity information of the publisher of the executing client application 142 (e.g., a UWP application) from client application logic 304 of the executing client application 142 , e.g., in this case Windows Runtime (WinRT) APIs and Custom RT APIs of the client application 114 as shown.
- WinRT Windows Runtime
- client application 142 may execute to expose local custom APIs and WinRT APIs to allow them to be accessed by web-view 144 , e.g., using UWP application Content URL Rules (ACURs) that limit the access of local APIs to pre-defined and hard-coded URL/s of remote system resources.
- ACURs UWP application Content URL Rules
- Client application logic 304 responds as shown in step 320 by returning identity information (e.g., name or identification code corresponding to the publisher of the given client application cryptographically tied to client application source 130 ) via the hard-coded URL and ACURs to the executing JavaScript of the web application 114 of the web view 144 .
- identity information e.g., name or identification code corresponding to the publisher of the given client application cryptographically tied to client application source 130
- JavaScript of authorization methodology 311 then verifies the publisher of the launched client application 142 versus the authorization information 112 that is included in the code of the currently loaded web application 114 , e.g., by determining if the identification information of the publisher of the current client application 142 is listed as being authorized by a whitelist or hard code ID, or is listed as being unauthorized in a blacklist or by a hard code ID, etc.
- methodology 311 determines in step 324 if the currently-launched client application 142 is trusted and therefore an authorized client application to render web page 310 of the web application 114 in web view 144 . If not, then methodology 311 proceeds to step 316 which is performed as previously described. This would occur, for example, in the case of client information handling system 150 of FIG. 1 which is executing a launched unauthorized application 142 b.
- step 311 proceeds to step 326 where the executing JavaScript of the web application 114 requests a cryptographic token (i.e., a token where the secret is a cryptographic key) from client application logic 304 of the executing client application 142 a .
- a cryptographic token i.e., a token where the secret is a cryptographic key
- Client application logic 304 responds to this request first in step 328 by creating a cryptographically random session identifier (ID) to use in all future requests made to the backend of web application 114 on web server 110 , and then in step 330 storing this created session ID in an application ID table or other data structure that is maintained in volatile system memory 104 for the current web session on the current client system 140 .
- ID cryptographically random session identifier
- Client application logic 304 then provides the created session ID of step 328 to JavaScript of the web application 114 , which in turn stores the created session ID during step 332 in a JavaScript variable that has global scope (i.e., all scripts and function on the web page can access it) for transmission to web server 110 (e.g., as cookie, URL, etc.) as part of future requests to the web server 110 that are made during the same current web session.
- JavaScript i.e., all scripts and function on the web page can access it
- step 332 the client system 140 executing the authorized client application 142 a connects to the backend of web application 114 on web server 110 using the session ID provided by the web page/web application front end code 311 in step 332 to “authenticate” on the given interface URL.
- the session ID is transmitted to web server 110 at this time where the web server 110 stores the session ID (e.g., in system memory 104 of web server 110 ) for future authentication of requests made by the client application 142 a during the same web session.
- the client system 140 will be allowed to use any interface that the web server 110 exposes, and all future updates from the backend web application 114 on web server 110 , and transfer of sensitive data between the exposed APIs from the client application context with the web page are both secured.
- an additional step may be added to provide access control list (ACL) control on the interfaces to provide another level of security if desired.
- ACL access control list
- full dynamic rendering of the web page 310 in web view 144 is now allowed at this time, meaning that JavaScript on the displayed web page 310 is now enbabled to update or otherwise alter the prerendered web page 310 in response to input received from user 302 , e.g., provided via I/O devices of the client system such as mouse, keyboard, touch pad, touch screen, etc.
- FIG. 4 illustrates one exemplary embodiment of a detailed process flow for authenticating a user-request for loading a new web page or for a change to a web page 310 that is already displayed in web view 144 during an existing web session on a client system 140 , such as is the case after completion of step 216 of FIG. 2 and step 332 of FIG. 3 .
- human user 302 provides input requesting the new web page or web page change to launched and executing client application 142 (e.g., by clicking a link or particular portion of the dynamically rendered web page 310 displayed in web view 144 ).
- client application 142 responds by requesting (e.g., using HTTPS request) the new web page or update/s to the existing web page 310 across network 190 from backend code of web application 114 that is executing on web server 110 .
- the web server 110 may respond to the web page request by sending HTML, CSS and JavaScript updates or a new web page corresponding to the latest user request to the executing client application 142 across network 190 .
- the web server 110 also provides the previously stored session ID (e.g., from step 332 of FIG. 3 ) to the client application 142 across network 190 .
- the frontend of web application 114 executing on the client system 140 then loads and uses its JavaScript code to prerender the requested web page changes or new web page as a static web page in web view 144 of the executing client application 142 on display device of component/s 109 of the client system.
- frontend JavaScript of the web application 114 performs client application authorization methodology 315 for an existing web session (i.e., a pre-existing session ID exists).
- client application authorization methodology 315 provides the existing session ID received from web server 110 to client application logic 304 of the executing client application 142 for verification.
- Client application logic 304 responds as shown in step 404 by retrieving any current session ID (e.g., previously stored in step 330 of FIG.
- client application logic 304 provides a TRUE value to frontend JavaScript 315 of the web application 114 which responds in step 408 by allowing transfer and full dynamic rendering of the requested web page updates or new web page 310 from web server 110 for rending in web view 144 .
- client application logic 304 provides a FALSE value to frontend JavaScript 315 of the web application 114 which responds in step 410 by setting a global flag to false and displaying an error page to the user 302 on display device of component/s 109 .
- steps of methodology 315 terminate without transfer and dynamic rendering of the requested web page update or new web page 310 .
- FIGS. 3 and 4 may be optionally performed in one embodiment without requiring human user 302 to enter any login information (or to otherwise present user credentials such as ID and password) to the web application 114 and/or client application 142 .
- such an embodiment may be advantageously implemented to make an authorization decision as to whether to allow a client application 142 to render a web application 114 within web-view 144 on a client system 140 or 150 based on characteristics of the client system itself and not on characteristics (e.g., credentials) of the human end user 302 .
- user characteristics e.g. such as user ID and password
- methodologies 3 and 4 are exemplary only, and that any combination of fewer, additional and/or alternative steps may be employed that are suitable for determining whether or not to authorize and allow a given web application to execute and render as a web page within a web-view of a client application based on a determined client application context (e.g., identity of the client application) in which the web application is to be executed and rendered as a web-page.
- client application context e.g., identity of the client application
- one or more of the tasks, functions, or methodologies described herein may be implemented by circuitry and/or by a computer program of instructions (e.g., computer readable code such as firmware code or software code) embodied in a non-transitory tangible computer readable medium (e.g., optical disk, magnetic disk, non-volatile memory device, etc.), in which the computer program comprising instructions is configured when executed on a processing device in the form of a programmable integrated circuit (e.g., processor such as CPU, controller, microcontroller, microprocessor, ASIC, etc.
- a computer program of instructions e.g., computer readable code such as firmware code or software code
- a non-transitory tangible computer readable medium e.g., optical disk, magnetic disk, non-volatile memory device, etc.
- the computer program comprising instructions is configured when executed on a processing device in the form of a programmable integrated circuit (e.g., processor such as CPU, controller, microcontroller, microprocessor, ASIC,
- programmable logic device such as FPGA, complex programmable logic device “CPLD”, etc.
- PLD programmable logic device
- a group of such processing devices may be selected from the group consisting of CPU, controller, microcontroller, microprocessor, FPGA, CPLD and ASIC.
- the computer program of instructions may include an ordered listing of executable instructions for implementing logical functions in an information handling system or component thereof.
- the executable instructions may include a plurality of code segments operable to instruct components of an information handling system to perform the methodologies disclosed herein.
- a processing device may be configured to execute or otherwise be programmed with software, firmware, logic, and/or other program instructions stored in one or more non-transitory tangible computer-readable mediums (e.g., data storage devices, flash memories, random update memories, read only memories, programmable memory devices, reprogrammable storage devices, hard drives, floppy disks, DVDs, CD-ROMs, and/or any other tangible data storage mediums) to perform the operations, tasks, functions, or actions described herein for the disclosed embodiments.
- non-transitory tangible computer-readable mediums e.g., data storage devices, flash memories, random update memories, read only memories, programmable memory devices, reprogrammable storage devices, hard drives, floppy disks, DVDs, CD-ROMs, and/or any other tangible data storage mediums
- an information handling system may include any instrumentality or aggregate of instrumentalities operable to compute, calculate, determine, classify, process, transmit, receive, retrieve, originate, switch, store, display, communicate, manifest, detect, record, reproduce, handle, or utilize any form of information, intelligence, or data for business, scientific, control, or other purposes.
- an information handling system may be a personal computer (e.g., desktop or laptop), tablet computer, mobile device (e.g., personal digital assistant (PDA) or smart phone), server (e.g., blade server or rack server), a network storage device, or any other suitable device and may vary in size, shape, performance, functionality, and price.
- the information handling system may include random access memory (RAM), one or more processing resources such as a central processing unit (CPU) or hardware or software control logic, ROM, and/or other types of nonvolatile memory. Additional components of the information handling system may include one or more disk drives, one or more network ports for communicating with external devices as well as various input and output (I/O) devices, such as a keyboard, a mouse, touch screen and/or a video display. The information handling system may also include one or more buses operable to transmit communications between the various hardware components.
- RAM random access memory
- processing resources such as a central processing unit (CPU) or hardware or software control logic
- ROM read-only memory
- Additional components of the information handling system may include one or more disk drives, one or more network ports for communicating with external devices as well as various input and output (I/O) devices, such as a keyboard, a mouse, touch screen and/or a video display.
- I/O input and output
- the information handling system may also include one or more buses operable to transmit communications between
Abstract
Description
- This invention relates generally to information handling systems and, more particularly, to controlling execution of publicly-hosted cloud applications within a web-view of client applications running on client information handling systems.
- As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is information handling systems. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
- The Microsoft Universal Windows Platform (UWP) provides a common application platform across different types of client information handling systems (e.g., such as desktop PCs, gaming systems, mixed-reality headsets, etc.) that run the Microsoft Windows 10 operating system (OS). The UWP includes core application programming interfaces (APIs) that are the same on all devices that run the Windows 10 OS, and UWP applications that only require the core UWP APIs will run on any Windows 10 device. UWP applications are made available to end users from the Microsoft Store.
- Integration of server-hosted web content and local client information handling system content is becoming increasingly common. There are many cases in which a cloud-hosted website application (web application) executing on a web server needs to be rendered in a web view within the UWP application. Since web applications are public facing, any human user, web crawler or malicious actor can interact via the Internet with the server-hosted web application which could lead to vulnerabilities such as the disclosure and/or tampering of sensitive application data on the server. Traditional authentication mechanisms (e.g., such as username/password, application programing interface “API” Keys, session tokens, etc.) require the human end user to login to the web application with credentials. However, these traditional authentication methods are limited to web applications that are human user-account based and do not lend themselves to UWP applications that need to allow all human end users to interact with a server-hosted web application when it is rendered within a UWP application executing on a particular client information handling system.
- UWP applications may execute on a client system to expose local custom application programming interfaces (APIs) and Windows APIs to be accessed by web views using UWP application content URL rules (ACURs) so as to limit the access of local APIs to a pre-defined and hard-coded URL.
- Disclosed herein are systems and methods that may be implemented to secure a publicly-hosted cloud website application (i.e., web application) so that it will render only within a trusted client application (e.g., such as a trusted Universal Windows Platform (UWP) application) that is executed by particular client information handling system, such as a desktop or tower personal computer (PC), laptop or notebook computer, gaming systems, mixed-reality headset, etc. In one embodiment, the context in which a web server-hosted web application is to be executed and rendered as a front-end web page within a web view of a client application may be determined and used to authorize and allow the web application to execute and render within the web-view. Such an authentication decision may be made, for example, using front-end web application code (e.g., JavaScript) that is rendered in the client web-view together with client application code (e.g., Microsoft Windows operating system APIs) to authenticate the client application context in which the web-page is rendered. In this way, the web application may validate that it is being rendered in the context of a trusted and/or well-known client application rendering engine/environment, e.g., such as an authorized UWP application. This is in contrast to conventional publically-hosted web applications which can be accessed by any client information handling system browser or application regardless of context, unless the web application is protected by a human user-specific login and password.
- In one embodiment, authorization to allow a publicly-hosted web application to be rendered within an application web-view on a client information handling system may be advantageously limited to only specific authorized client applications, e.g., such as only those UWP or and/or other client applications that are listed by hard-coded identifier (ID) or included within a whitelist (or not included in a blacklist) provided from or created from information from the Microsoft store or from other approved source's of the client application. In this way access to the publicly-hosted web application may be limited on the basis of the client hardware platform executing the client application, regardless of the identity of the human user that is operating the client information handling system. For example, many factory-installed client applications on a client information handling system do not require a human end user to login to the client application itself to provide full functionality. However, many of these client application/s render manufacturer-hosted web applications within web-views on the client information handling system to provide enhanced functionality such as device registration and warranty transfer, which is directly tied to the client information handling system itself and not tied to the human end user. In such a case, access to the web application/s hosted by the manufacturer's server may only be allowed for trusted client-executed client applications executing on particular types of information handling systems, while access to the manufacturer-hosted web application/s is denied to standard web browsers and untrusted client applications executing on any client information handling system.
- In one respect, disclosed herein is a method, including: launching and executing a client application on a first information handling system, the client application communicating a first request across a network to a second information handling system for a web page of a web application from the second information handling system; transferring a first portion of the web application across the network from the second information handling system to the first information handling system in response to the first client application request, the transferred first portion of the web application including authorization information; and executing the transferred first portion of the web application within the client application on the first information handling system without first fully rendering the requested web page to: obtain identity information of the client application from client application logic executing on the first information handling system, the identity information of the client application being stored on the first information handling system, compare the identity information of the client application to the authorization information to determine whether or not the client application is authorized to fully render the web page, and fully render the requested web page within the client application on a display device only if the client application is determined from the comparison to be authorized to fully render the web page.
- In another respect, disclosed herein is a system, including: a first information handling system and a second information handling system; where the first information handling system includes a programmable integrated circuit executing to transfer a first portion of a web application across the network to a second information handling system in response to a first request for a web page received across the network from a client application executing on the second information handling system, the transferred first portion of the web application including authorization information; and where the second information handling system includes a display device and a programmable integrated circuit coupled to the display device, the programmable integrated circuit of the second information handling system executing the first portion of the web application within the client application on the second information handling system and without first fully rendering the requested web page to: obtain identity information of the client application from client application logic executing on the first information handling system, the identity information of the client application being stored on the first information handling system, compare the identity information of the client application to the authorization information to determine whether or not the client application is authorized to fully render the web page, and fully render the requested web page within the client application on the display device of the second information handling system only if the client application is determined from the comparison to be authorized to fully render the web page.
-
FIG. 1 illustrates a network architecture according to one exemplary embodiment of the disclosed systems and methods. -
FIG. 2 illustrates methodology according to one exemplary embodiment of the disclosed systems and methods. -
FIG. 3 illustrates process flow according to one exemplary embodiment of the disclosed systems and methods. -
FIG. 4 illustrates process flow according to one exemplary embodiment of the disclosed systems and methods. -
FIG. 1 illustrates one exemplary embodiment of anetwork architecture 100 that includes multipleinformation handling systems public network 190, such as the Internet. In this embodiment,system 110 is a web server that is configured to serve at least one web application (web app) 114 acrossnetwork 190 tosystems client applications network 190. - In
FIG. 1 , each ofsystems client systems es 103 provides a mechanism for the various components ofsystem 204 to communicate and couple with one another. Each ofsystems network 190 to allow various components of eachsystems NIC 106 with components of other information handling systems acrossnetwork 190. - As further shown in
FIG. 1 ,client systems s 109 that may be optionally integrated into one component (e.g., LCD or LED display touchscreen device) for displaying information to human users and for receiving user input from human users and/or may include separate video display and input/output (I/O) components (e.g., mouse, keyboard, etc.) for performing the same functions. Display/UI component/s 109 may be coupled tobus 103 and/or directly tohost processing device 102 as shown, depending on the particular configuration of the given system (e.g., coupled directly to integrated graphics of ahost processing device 102 and/or separately coupled viabus 103 to provide user input signals tohost processing device 102 through other components and/or to receive video information from a graphics processor unit “GPU”). - As shown, each of
client systems more client applications 142 acrossnetwork 190 fromstorage 108 of client application source 130 (e.g., such as an application store), and to save them tostorage 108 for future access. Aclient application 142 may then be retrieved fromstorage 108 and selectively launched and executed byhost processing device 102 of each ofsystems s 109 of the respective system. Such an executingclient application 142 may also implement aweb view browser 144 within theclient application 142 to attempt to display a requestedweb application 114 that has been served byweb server 110 acrossnetwork 190. - As described further herein,
web server 110 may execute back end code ofweb application 114 on itshost processing device 102, and to maintainauthorization information 112.Authorization information 112 may be, for example, a dynamic and updateable whitelist or a static (non-updateable) hard coded identifier of client application/s 142 that are authorized to render the front end code ofweb application 114 as a web-page within a web-view of the client application, or may be a blacklist or hard coded identifier of client application/s 142 that are not authorized to render the front end code ofweb application 114 as a web-page within a web-view of the client application. In one embodiment,particular client applications 142 may be identified as authorized by theauthorization information 112 based on characteristics of signature authority information 134 (e.g., in the form of a Microsoft Store Signature) that is maintained byclient application source 130 for eachclient application 142. - In
FIG. 1 ,client system 140 is shown executing an authorizedclient application 142 a that is allowed based on its identification inauthorization information 112 as being authorized to render web page/s fromweb application 114 within a web-view of the authorizedclient application 142 a. However,client system 150 is shown executing anunauthorized client application 142 b that is not identified as being authorized byauthorization information 112 and is therefore not allowed to renderweb application 114 as a web-page within a web-view of theunauthorized client application 142 b. It will be understood that type/s ofauthorization information 112 may be employed that is suitable for restricting the type and/or identity of client applications that are allowed to render web application as a web view, e.g., such as whitelist of the identities of authorized publisher/s of client application/s 142, hard coded identification of identities of authorized publisher/s of client application/s 142, blacklist of identities of non-authorized publisher/s of client application/s 142, etc. - It will be understood that
FIG. 1 is exemplary only, and that the disclosed systems and methods may be implemented with other network configurations and configurations of information handling systems that each may include fewer, additional and/or alternative hardware and/or software/firmware components as well as any type/s of processing devices suitable implementing the disclosed systems and methods such as central processing units (CPUs), embedded controllers, keyboard controllers, microcontrollers, application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), etc. Moreover, in some embodiments, aweb server 110 may also components such as baseboard management controller (BMC) and/or remote access controller (RAC) having one or more out-of-band processing devices and non-volatile memory (e.g., embedded and partitioned flash memory, Electrically Erasable Programmable Read Only Memory—EEPROM, other types of non-volatile random access memory “NVRAM”, etc.) that stores remote access controller component firmware 207. Examples of such a remote access controller include an integrated Dell Remote Access Controller (iDRAC) available from Dell Technologies Inc. of Round Rock, Tex., etc.). Further information on possible configuration and operation of servers, clients, and network communications between the same may be found in United States Patent Application Publication 2017/0270301, and in U.S. patent application Ser. No. 15/691,325 filed Aug. 30, 2017, each of which is incorporated herein by reference its entirety for all purposes. -
FIG. 2 illustratesmethodology 200 that may be implemented according to one exemplary embodiment to secure a publicly-hostedweb application 114 so that it will render only within a trustedrendering client application 142 a that is executed by a particular clientinformation handling system 140. For purposes of illustration,FIG. 2 is described herein in relation to thenetwork architecture embodiment 100 ofFIG. 1 , it being understood thatmethodology 200 may be employed with other network architecture embodiments, e.g., having different numbers and/or types of information handling systems, different types and/or number of client applications, different numbers and/or types of network applications, etc. - As shown in
FIG. 2 ,methodology 200 begins instep 202, where aclient application Client application - Next, in
step 204, the application package manifest ofclient application client systems 140 and 150) to a designatedweb application 114 that is available to client systems acrossnetwork 190 from a website domain hosted byweb server 110. Such an application package manifest may be a Windows 10 UWP application component that contains information needed to deploy, display, or update a client application 142 (such as package identity, package dependencies, required capabilities, visual elements, extensibility points, etc.), and is digitally signed as part of signing the application package. After installation, the application package manifest file appears in the directory for the installed application package. - Website domain of
web server 110 may be, for example, a website domain for a manufacturer ofclient systems case web application 114 may be programmed to implement registration of anindividual client system respective client systems client application web application 114 to the JavaScript running inside the webview, by, for example, by declaring a capability that is defined in the Windows application manifest file which enables access to any interfaces/API that is within a Windows Runtime (WinRT) library that is referenced in theclient application 142. As an example, given a Windows 10 OS environment,client applications web application 114 when launched and executing onhost processing device 102 of aclient system 140. In this regard, WinRT is a platform agnostic application architecture used within Windows 10 (and starting with Windows 8). Custom Windows APIs may accomplish any task the Webview JavaScript wants, and may be an interface to call into the client code from the Webview JavaScript, e.g., to get the current client application version. It may also be any interface that is written to return a value or perform some action, etc. - Next, in
step 206,client application application developer system 120 acrossnetwork 190 to client application source 130 (e.g., such as Microsoft Store or other repository of available client applications), where the client application is stored onstorage signature authority information 134 that cryptographically signs and verifies the identity of the publisher of theclient application 142 a, but in this case does not so verify the identity of the publisher of theclient application 142 b.Client application network 190. In this example,client application step 208 together with its publisher identification information toclient system client application 142 may be the same as the developer of that given client application, and/or may be any other entity (e.g., human, company, corporation, etc.) that is responsible for distributing the givenclient application 142 toclient application source 130. It will also be understood that in otherembodiments authorization information 112 may alternatively be any other information that corresponds to a givenclient application 142, e.g., such as identity of developer/s of a client application 142 (where client application developer is different from client application publisher), identity of particular authorized client application/s 142, etc. - Step 208 may occur, for example, in response to a request submitted from
client system client application source 130 by a human useroperating client system 140/150, e.g., such as purchase or free download ofclient application client application source 130. Alternatively, such a request may be automatically submitted system software or firmware that executes onhost processing device 102 ofclient system 140/150, e.g., by system manufacturer-loaded software or firmware upon initial power on and system setup of clientinformation handling system 140/150 by a human end user. Afterstep 208,client application host processing device 102 ofclient system step 210, e.g., when launched by ahuman user 302 as illustrated further herein in regard toFIGS. 3 and 4 . When so launched,client application web application 114 acrossnetwork 190 fromweb server 110 instep 212 as shown. - Still referring to
FIG. 2 ,steps 222 through 226 ofmethodology 200 are performed prior to attempted loading ofweb application 114 instep 212. Instep 222, the publisher ofclient application web server 110 before performing averification step 224 that determines whether theparticular client application web server 110. In this regard, steps 222 through 226 may be performed, for example, by web server administrative personnel and/or by automated server firmware/software executing onhost processing device 102 ofweb server 110 and/or other systems, etc. In one example ofstep 222, the publisher of aclient application web server 110 by steps in which an owner or operator of the clientapplication developer system 120 that is the source of theclient application 142 a may manually request that the publisher of theclient application 142 a be added to an authorized client application whitelist orother authorization information 112 maintained on theweb server system 110. The publisher of the givenclient application network 190 instep 224 by querying the custom APIs for the particular client application's publisher to confirm that the publisher is cryptographically signed bysignature authority information 134 on theclient application source 130. - If the publisher of a client application (in this example,
client application 142 a) is verified instep 224, thenmethodology 200 proceeds to 226 where the verified publisher of the now-authorizedclient application 142 a is indicated to be authorized (e.g., added to a whitelist, or removed from a blacklist) byauthorization information 112 maintained instorage 108 ofweb server system 110. However, where a client application publisher is not verified in step 224 (e.g., the publisher is not cryptographically signed bysignature authority information 134 on the client application source 130), then the publisher of the now non-authorized client application (in this example,client application 142 b) is not indicated to be authorized (e.g., not added to a whitelist, or added to a blacklist) by the webserver authorization information 112 andmethodology 200 instead skips directly to step 228 forclient application 142 b. In oneembodiment authorization information 112 may be a whitelist onweb server system 110 that includes one or more verified publishers and may be added to or expanded over time to include new publishers as they are verified in separate instances ofstep 224. - In the case where the publisher of a given authorized
client application 142 a is indicated to be authorized by a whitelist instep 226, then identification information (e.g., name or identification code corresponding to the verified publisher of the given authorizedclient application 142 a) is added to or otherwise linked as part of the whitelist information instep 227 to the software code (e.g., a combination of hypertext markup language “HTML”, cascading style sheets “CSS”, and JavaScript code) of one or more web application/s 114 maintained onstorage 108 ofweb server 110. As previously described, other types ofauthorization information 112 besides a whitelist may be employed and linked in similar manner to the software code of web application/s 114 maintained onstorage 108 ofweb server 110. - Returning now to step 212 of
FIG. 2 , when a current client application 142 (e.g., authorizedclient application 142 a orunauthorized client application 142 b) that is executing on ahost processing device 102 of aclient system particular web application 114 acrossnetwork 190 fromweb server 110, thehost processing device 102 of theweb server 110 responds instep 228 by transferring web application code (e.g., HTML, CSS and JavaScript code) of the particular requested web application 114 (together with the previously-describedauthorization information 112 of step 227) to the requestingclient system 140 acrossnetwork 190. As further illustrated and described in relation toFIGS. 3 and 4 , this code ofweb application 114 may be programmed to execute onclient system client application 142 to performstep 214 ofFIG. 2 , i.e., to determine whether a particular launched and executedclient application authorization information 112 to render the requestedweb application 114 inweb view 144 onclient system client application 142 renders the requestedweb application 114 inweb view 144 duringstep 216. If not so authorized, theclient application 142 does not render the requestedweb application 114 inweb view 144. Thus, in the case of the exemplary embodiment ofFIG. 1 , authorizedclient application 142 a would be allowed to render the requested web application inweb view 144 onclient system 140, whileunauthorized client application 142 b would not be allowed to render the requested web application inweb view 144 onclient system 150. -
FIG. 3 illustrates one exemplary embodiment of a detailed process flow for launching and authenticating aclient application 142 for rendering a requestedweb application 114 inweb view 144 during web session creation betweenweb server 110 and a clientinformation handling system web application 114 may be a warranty transfer and registration application for a desktop or tower computer system. Thus, inFIG. 3 , authentication is limited to only those desktop or tower client systems that execute aclient application 142 that uses a Microsoft Chakra JavaScript engine on a Microsoft Edge Browser, i.e., to limit rendering of theweb application 114 on desktop computer systems implementing a Microsoft Chakra Edge Browser and not on any mobile computing device or mobile information handling system. However, the disclosed systems and methods may be implemented for authenticating client applications for rendering other types of web applications (e.g., non-warranty or registration web applications) on other types of systems (e.g., including mobile information handling systems such as tablet computers, notebook computers, smart phones, convertible computers, etc.) running other types of browser software. - As shown in
FIG. 3 , whenhuman user 302 launchesclient application 142 onhost processing device 102 of aclient system client application 142 responds by initiating a request (e.g., via URL over a secure HTTPS connection) for a web page ofweb application 114 fromweb server 110 acrossnetwork 190. In one embodiment, theweb application 114 may be a single page application (SPA) programmed to load a single HTML web page, and to execute JavaScript and CSS on the client system to dynamically update the webpage in response to further input fromuser 302 with or without reloading the web page or transferring additional HTML code fromweb server 110. Theweb server 110 may respond to the web page request by sending HTML, CSS and JavaScript of the web application 114 (together with authorization information 112) corresponding to the requested web page to the executingclient application 142 acrossnetwork 190. The requestedweb application 114 then loads and uses its JavaScript code to prerender the requestedweb page 310 as a static web page inweb view 144 of the executingclient application 142 on display device of component/s 109 of the client system. At this time, the JavaScript of the prerenderedstatic web page 310 is not enabled to update or otherwise alter theprerendered web page 310 with additional data fromweb server 110 in response to input fromuser 302, e.g., that is provided by the user via I/O devices of the client system such as mouse, keyboard, touch pad, touch screen, etc. - As shown in
FIG. 3 , before allowing full rendering of theweb page 310 as a dynamic web page, front end JavaScript of theweb application 114 performs user interface and clientapplication authorization methodology 311 for a new web session (i.e., no pre-existing web session ID exists). In the particular embodiment ofFIG. 3 ,authorization methodology 311 first determines instep 312 whether the web view engine of thecurrent client application 114 is not a UWP application running a Microsoft Chakra Edge browser. Instep 314,authorization methodology 311 determines if thecurrent client system step 316 and the JavaScript of theweb application 114 redirects to an error page is displayed to theuser 302 on display device of component/s 109 of the client system. In this case, steps ofmethodology 311 terminate without ever rendering any content of the requestedweb page 310 as a dynamic web page withinweb view 144, e.g., successfully preventing malicious and unauthorized actors to view/interact with theweb application 114 outside the context of an authorizedclient application 142 a. It will be understood thatsteps other embodiments methodology 311 may proceed directly to step 318 described below (i.e., without interveningsteps 312 and/or 314). - Still referring to
FIG. 3 , if theclient application 142 is a UWP application executing a Microsoft Chakra Edge browser and is not a mobile device, thenauthorization methodology 311 proceeds to step 318, where the web application JavaScript requests identity information of the publisher of the executing client application 142 (e.g., a UWP application) fromclient application logic 304 of the executingclient application 142, e.g., in this case Windows Runtime (WinRT) APIs and Custom RT APIs of theclient application 114 as shown. In this regard,client application 142 may execute to expose local custom APIs and WinRT APIs to allow them to be accessed by web-view 144, e.g., using UWP application Content URL Rules (ACURs) that limit the access of local APIs to pre-defined and hard-coded URL/s of remote system resources. -
Client application logic 304 responds as shown in step 320 by returning identity information (e.g., name or identification code corresponding to the publisher of the given client application cryptographically tied to client application source 130) via the hard-coded URL and ACURs to the executing JavaScript of theweb application 114 of theweb view 144. Instep 322, JavaScript ofauthorization methodology 311 then verifies the publisher of the launchedclient application 142 versus theauthorization information 112 that is included in the code of the currently loadedweb application 114, e.g., by determining if the identification information of the publisher of thecurrent client application 142 is listed as being authorized by a whitelist or hard code ID, or is listed as being unauthorized in a blacklist or by a hard code ID, etc. Based on this verification,methodology 311 then determines instep 324 if the currently-launchedclient application 142 is trusted and therefore an authorized client application to renderweb page 310 of theweb application 114 inweb view 144. If not, thenmethodology 311 proceeds to step 316 which is performed as previously described. This would occur, for example, in the case of clientinformation handling system 150 ofFIG. 1 which is executing a launchedunauthorized application 142 b. - However, if it is determined in
step 324 ofFIG. 3 that the currently-launchedclient application 142 a onclient system 140 is trusted (and therefore an authorized client application), thenmethodology 311 proceeds to step 326 where the executing JavaScript of theweb application 114 requests a cryptographic token (i.e., a token where the secret is a cryptographic key) fromclient application logic 304 of the executingclient application 142 a.Client application logic 304 responds to this request first instep 328 by creating a cryptographically random session identifier (ID) to use in all future requests made to the backend ofweb application 114 onweb server 110, and then instep 330 storing this created session ID in an application ID table or other data structure that is maintained involatile system memory 104 for the current web session on thecurrent client system 140.Client application logic 304 then provides the created session ID ofstep 328 to JavaScript of theweb application 114, which in turn stores the created session ID duringstep 332 in a JavaScript variable that has global scope (i.e., all scripts and function on the web page can access it) for transmission to web server 110 (e.g., as cookie, URL, etc.) as part of future requests to theweb server 110 that are made during the same current web session. - In
step 332, theclient system 140 executing the authorizedclient application 142 a connects to the backend ofweb application 114 onweb server 110 using the session ID provided by the web page/web applicationfront end code 311 instep 332 to “authenticate” on the given interface URL. Specifically, the session ID is transmitted toweb server 110 at this time where theweb server 110 stores the session ID (e.g., insystem memory 104 of web server 110) for future authentication of requests made by theclient application 142 a during the same web session. Once so “authenticated” theclient system 140 will be allowed to use any interface that theweb server 110 exposes, and all future updates from thebackend web application 114 onweb server 110, and transfer of sensitive data between the exposed APIs from the client application context with the web page are both secured. In a further embodiment, an additional step may be added to provide access control list (ACL) control on the interfaces to provide another level of security if desired. In any case, full dynamic rendering of theweb page 310 inweb view 144 is now allowed at this time, meaning that JavaScript on the displayedweb page 310 is now enbabled to update or otherwise alter theprerendered web page 310 in response to input received fromuser 302, e.g., provided via I/O devices of the client system such as mouse, keyboard, touch pad, touch screen, etc. -
FIG. 4 illustrates one exemplary embodiment of a detailed process flow for authenticating a user-request for loading a new web page or for a change to aweb page 310 that is already displayed inweb view 144 during an existing web session on aclient system 140, such as is the case after completion ofstep 216 ofFIG. 2 and step 332 ofFIG. 3 . As shown inFIG. 4 ,human user 302 provides input requesting the new web page or web page change to launched and executing client application 142 (e.g., by clicking a link or particular portion of the dynamically renderedweb page 310 displayed in web view 144). In response to this user input,client application 142 responds by requesting (e.g., using HTTPS request) the new web page or update/s to the existingweb page 310 acrossnetwork 190 from backend code ofweb application 114 that is executing onweb server 110. Theweb server 110 may respond to the web page request by sending HTML, CSS and JavaScript updates or a new web page corresponding to the latest user request to the executingclient application 142 acrossnetwork 190. At this time, theweb server 110 also provides the previously stored session ID (e.g., fromstep 332 ofFIG. 3 ) to theclient application 142 acrossnetwork 190. The frontend ofweb application 114 executing on theclient system 140 then loads and uses its JavaScript code to prerender the requested web page changes or new web page as a static web page inweb view 144 of the executingclient application 142 on display device of component/s 109 of the client system. - Next, as shown in
FIG. 4 , before allowing full dynamic rendering of the requested web page changes ornew web page 310, frontend JavaScript of theweb application 114 performs clientapplication authorization methodology 315 for an existing web session (i.e., a pre-existing session ID exists). As shown inFIG. 4 , step 402 ofauthorization methodology 315 provides the existing session ID received fromweb server 110 toclient application logic 304 of the executingclient application 142 for verification.Client application logic 304 responds as shown instep 404 by retrieving any current session ID (e.g., previously stored instep 330 ofFIG. 3 ) fromclient system memory 104, and then instep 406 compares any retrieved session ID fromclient system memory 104 with the session ID provided by theweb server 110 to determine if these session ID values match. If so,client application logic 304 provides a TRUE value to frontendJavaScript 315 of theweb application 114 which responds instep 408 by allowing transfer and full dynamic rendering of the requested web page updates ornew web page 310 fromweb server 110 for rending inweb view 144. However, if a retrieved session ID fromclient system memory 104 does not match the session ID provided by theweb server 110, or if no pre-existing session ID is found insystem memory 104 of theclient system 142, thenclient application logic 304 provides a FALSE value to frontendJavaScript 315 of theweb application 114 which responds instep 410 by setting a global flag to false and displaying an error page to theuser 302 on display device of component/s 109. In this case, steps ofmethodology 315 terminate without transfer and dynamic rendering of the requested web page update ornew web page 310. - It will be understood that the methodology of
FIGS. 3 and 4 may be optionally performed in one embodiment without requiringhuman user 302 to enter any login information (or to otherwise present user credentials such as ID and password) to theweb application 114 and/orclient application 142. Thus, such an embodiment may be advantageously implemented to make an authorization decision as to whether to allow aclient application 142 to render aweb application 114 within web-view 144 on aclient system human end user 302. However, it is alternatively possible that user characteristics (e.g. such as user ID and password) may be also be required for authorizing aclient application 142 to render aweb application 114. - It will also be understood that methodologies 3 and 4 are exemplary only, and that any combination of fewer, additional and/or alternative steps may be employed that are suitable for determining whether or not to authorize and allow a given web application to execute and render as a web page within a web-view of a client application based on a determined client application context (e.g., identity of the client application) in which the web application is to be executed and rendered as a web-page.
- It will be understood that one or more of the tasks, functions, or methodologies described herein (e.g., including those described herein for
components - It will also be understood that one or more steps of the present methodologies may be employed in one or more code segments of the computer program. For example, a code segment executed by the information handling system may include one or more steps of the disclosed methodologies. It will be understood that a processing device may be configured to execute or otherwise be programmed with software, firmware, logic, and/or other program instructions stored in one or more non-transitory tangible computer-readable mediums (e.g., data storage devices, flash memories, random update memories, read only memories, programmable memory devices, reprogrammable storage devices, hard drives, floppy disks, DVDs, CD-ROMs, and/or any other tangible data storage mediums) to perform the operations, tasks, functions, or actions described herein for the disclosed embodiments.
- For purposes of this disclosure, an information handling system may include any instrumentality or aggregate of instrumentalities operable to compute, calculate, determine, classify, process, transmit, receive, retrieve, originate, switch, store, display, communicate, manifest, detect, record, reproduce, handle, or utilize any form of information, intelligence, or data for business, scientific, control, or other purposes. For example, an information handling system may be a personal computer (e.g., desktop or laptop), tablet computer, mobile device (e.g., personal digital assistant (PDA) or smart phone), server (e.g., blade server or rack server), a network storage device, or any other suitable device and may vary in size, shape, performance, functionality, and price. The information handling system may include random access memory (RAM), one or more processing resources such as a central processing unit (CPU) or hardware or software control logic, ROM, and/or other types of nonvolatile memory. Additional components of the information handling system may include one or more disk drives, one or more network ports for communicating with external devices as well as various input and output (I/O) devices, such as a keyboard, a mouse, touch screen and/or a video display. The information handling system may also include one or more buses operable to transmit communications between the various hardware components.
- While the invention may be adaptable to various modifications and alternative forms, specific embodiments have been shown by way of example and described herein. However, it should be understood that the invention is not intended to be limited to the particular forms disclosed. Rather, the invention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention as defined by the appended claims. Moreover, the different aspects of the disclosed methods and systems may be utilized in various combinations and/or independently. Thus, the invention is not limited to only those combinations shown herein, but rather may include other combinations.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/201,610 US11165780B2 (en) | 2018-11-27 | 2018-11-27 | Systems and methods to secure publicly-hosted cloud applications to run only within the context of a trusted client application |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/201,610 US11165780B2 (en) | 2018-11-27 | 2018-11-27 | Systems and methods to secure publicly-hosted cloud applications to run only within the context of a trusted client application |
Publications (2)
Publication Number | Publication Date |
---|---|
US20200169560A1 true US20200169560A1 (en) | 2020-05-28 |
US11165780B2 US11165780B2 (en) | 2021-11-02 |
Family
ID=70770214
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/201,610 Active 2039-08-06 US11165780B2 (en) | 2018-11-27 | 2018-11-27 | Systems and methods to secure publicly-hosted cloud applications to run only within the context of a trusted client application |
Country Status (1)
Country | Link |
---|---|
US (1) | US11165780B2 (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112528274A (en) * | 2020-12-24 | 2021-03-19 | 微医云(杭州)控股有限公司 | Data processing method and device, electronic equipment and storage medium |
US11238147B2 (en) * | 2019-08-27 | 2022-02-01 | Comcast Cable Communications, Llc | Methods and systems for verifying applications |
US11429669B2 (en) | 2019-08-06 | 2022-08-30 | Twitter, Inc. | Managing query subscription renewals in a messaging platform |
US11579948B2 (en) * | 2019-03-12 | 2023-02-14 | The Boeing Company | Application programming interface for web page and visualization generation |
US20230126468A1 (en) * | 2021-10-26 | 2023-04-27 | Dell Products, L.P. | Information handling system bus out of band message access control |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20220383333A1 (en) * | 2021-05-28 | 2022-12-01 | Dell Products L.P. | System and method of validating one or more components of an information handling system |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7877461B1 (en) * | 2008-06-30 | 2011-01-25 | Google Inc. | System and method for adding dynamic information to digitally signed mobile applications |
US10185828B2 (en) | 2016-03-15 | 2019-01-22 | Dell Products L.P. | Systems and methods using virtual UEFI path for secure firmware handling in multi-tenant or server information handling system environments |
US10621101B2 (en) | 2017-02-01 | 2020-04-14 | Wyse Technology L.L.C. | Mechanism to free up the overlay of a file-based write filter |
US10783541B2 (en) | 2017-08-30 | 2020-09-22 | Dell Products L.P. | Systems and methods of using indirect user input signal characteristics to control inventory and/or server operations |
-
2018
- 2018-11-27 US US16/201,610 patent/US11165780B2/en active Active
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11579948B2 (en) * | 2019-03-12 | 2023-02-14 | The Boeing Company | Application programming interface for web page and visualization generation |
US11429669B2 (en) | 2019-08-06 | 2022-08-30 | Twitter, Inc. | Managing query subscription renewals in a messaging platform |
US11580165B2 (en) * | 2019-08-06 | 2023-02-14 | Twitter, Inc. | Event producer system of a messaging platform for delivering real-time messages |
US11238147B2 (en) * | 2019-08-27 | 2022-02-01 | Comcast Cable Communications, Llc | Methods and systems for verifying applications |
US20220253520A1 (en) * | 2019-08-27 | 2022-08-11 | Comcast Cable Communications, Llc | Methods and systems for verifying applications |
US11727101B2 (en) * | 2019-08-27 | 2023-08-15 | Comcast Cable Communications, Llc | Methods and systems for verifying applications |
CN112528274A (en) * | 2020-12-24 | 2021-03-19 | 微医云(杭州)控股有限公司 | Data processing method and device, electronic equipment and storage medium |
US20230126468A1 (en) * | 2021-10-26 | 2023-04-27 | Dell Products, L.P. | Information handling system bus out of band message access control |
US11720517B2 (en) * | 2021-10-26 | 2023-08-08 | Dell Products, L.P. | Information handling system bus out of band message access control |
Also Published As
Publication number | Publication date |
---|---|
US11165780B2 (en) | 2021-11-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110663027B (en) | Method and system for securely booting a computing system | |
US11165780B2 (en) | Systems and methods to secure publicly-hosted cloud applications to run only within the context of a trusted client application | |
US11916911B2 (en) | Gateway enrollment for Internet of Things device management | |
US9871821B2 (en) | Securely operating a process using user-specific and device-specific security constraints | |
US9319380B2 (en) | Below-OS security solution for distributed network endpoints | |
CN107408172B (en) | Securely booting a computer from a user-trusted device | |
US11509537B2 (en) | Internet of things device discovery and deployment | |
US9836601B2 (en) | Protecting anti-malware processes | |
US9710652B1 (en) | Verifying boot process of electronic device | |
CN107292176B (en) | Method and system for accessing a trusted platform module of a computing device | |
US20170255775A1 (en) | Software verification systems with multiple verification paths | |
TWI745629B (en) | Computer system and method for initializing computer system | |
US10853086B2 (en) | Information handling systems and related methods for establishing trust between boot firmware and applications based on user physical presence verification | |
US10592661B2 (en) | Package processing | |
US20170300692A1 (en) | Hardware Hardened Advanced Threat Protection | |
US11757859B2 (en) | Run-time attestation of a user workspace | |
KR20190062797A (en) | User terminal for using cloud service, integrated security management server of user terminal and method thereof | |
EP3298529B1 (en) | Electronic device and method in an electronic device | |
US20150007292A1 (en) | User authentication utilizing patterns |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: DELL PRODUCTS L.P., TEXAS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ARORA, MOHIT;SANAULLAH, ABU S.;SIGNING DATES FROM 20181124 TO 20181126;REEL/FRAME:047595/0090 |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
AS | Assignment |
Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., TEXAS Free format text: SECURITY AGREEMENT;ASSIGNORS:CREDANT TECHNOLOGIES, INC.;DELL INTERNATIONAL L.L.C.;DELL MARKETING L.P.;AND OTHERS;REEL/FRAME:049452/0223 Effective date: 20190320 |
|
AS | Assignment |
Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, NORTH CAROLINA Free format text: SECURITY AGREEMENT;ASSIGNORS:DELL PRODUCTS L.P.;EMC CORPORATION;EMC IP HOLDING COMPANY LLC;REEL/FRAME:048825/0489 Effective date: 20190405 |
|
AS | Assignment |
Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., TEXAS Free format text: SECURITY AGREEMENT;ASSIGNORS:CREDANT TECHNOLOGIES INC.;DELL INTERNATIONAL L.L.C.;DELL MARKETING L.P.;AND OTHERS;REEL/FRAME:053546/0001 Effective date: 20200409 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: EMC IP HOLDING COMPANY LLC, TEXAS Free format text: RELEASE OF SECURITY INTEREST AT REEL 048825 FRAME 0489;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058000/0916 Effective date: 20211101 Owner name: EMC CORPORATION, MASSACHUSETTS Free format text: RELEASE OF SECURITY INTEREST AT REEL 048825 FRAME 0489;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058000/0916 Effective date: 20211101 Owner name: DELL PRODUCTS L.P., TEXAS Free format text: RELEASE OF SECURITY INTEREST AT REEL 048825 FRAME 0489;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058000/0916 Effective date: 20211101 |